IPFire 2.15 - Core Update 80 released

This is the official release announcement for IPFire 2.15 – Core Update 80. It comes with lots of new features, some bugfixes and some minor security fixes.

DNSSEC

There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.

IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.

It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.

The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.

There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com.

Misc

The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.

wpa_supplicant has been updated to version 2.2.

strongswan has been updated to version 5.2.0

Ersan Yildirim submitted updates for the Turkish translation.

The dhcrelay binary and an initscript are shipped.

The bind tools have been updated to version 9.9.5 to support DNSSEC, too.

rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.

squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.

Firewall hits by country: Fix chart for dial-up connections.

Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.